Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wmichael
Staff
Staff

Created on ‎01-16-2025 06:18 AM Edited on ‎02-09-2025 10:48 PM By Community Manager

Article Id 370525

Technical Tip: Blocking Potentially Malicous Sources and Anonymizing Services access to a Virtual IP using Internet Service Objects

Description This article describes how to block access from potentially malicious sources of traffic and anonymizing services such as known C&C botnets, malicious servers, Tor, anonymous VPNs, and proxy servers.
Scope FortiGate v7.2.1+.
Solution

After FortiOS v7.2.1+, it is now possible to use Internet Service objects as the source in a firewall policy.

 

To configure a VIP, see Virtual IP (VIP) port forwarding configuration.

 

In this example, port1 is the WAN interface, and port10 is the LAN interface where the server the VIP translates to is located.

 

Create a new firewall policy in the web GUI: Policy & Objects -> Firewall Policy -> Create New.

Set the incoming Interface to the WAN interface that the VIP is accessed from and the outgoing interface to where the VIP is located. 

In the source field, select Internet Service and search for Botnet-C&C.Server, Malicious-Malicious.Server, Spam-Spamming.Server, Proxy-Proxy.Server, Tor-Exit.Node, Tor-Relay.Node, and VPN-Anonymous.VPN.  These are the source addresses used in the firewall policy.

 

This example shows searching for the Tor and VPN objects in the GUI:

 

00-TOR.jpg

 01-VPN.jpg

 

Configure the Destination field as the virtual IP. Configure the Schedule field as 'always'. Configure the Action field as 'Deny'.

 

Optionally, enable the 'match-vip' on the CLI and use 'all' as the destination. See VIP traffic not matching the firewall policy with an 'all' destination for more information on this setting.

 

new-policy.jpg

 

Ensure this firewall policy is above the policy allowing Internet access to the VIP.

 

new-policies.jpg

 

 

To configure the firewall policies on the CLI:

 

config firewall policy

    edit 2

        set name "Deny-to-VIP"

        set srcintf "port1"

        set dstintf "port10"

        set action deny

        set dstaddr "Web Server"

        set internet-service-src enable

        set internet-service-src-name "Botnet-C&C.Server" "Malicious-Malicious.Server" "Spam-Spamming.Server" "Proxy-Proxy.Server" "Tor-Exit.Node" "Tor-Relay.Node" "VPN-Anonymous.VPN"

        set schedule "always"

        set service "ALL"

        set logtraffic all

    next

    edit 1

        set name "Internet-to-VIP"

        set srcintf "port1"

        set dstintf "port10"

        set action accept

        set srcaddr "all"

        set dstaddr "Web Server"

        set schedule "always"

        set service "HTTP" "HTTPS"

    next

end

 

This will block access to the VIP from these potentially malicious sources of traffic.

 

For more information about the Internet Services used in this article, see the following ISDB references on FortiGuard Labs:

Internet Services Botnet-C&C.Server

Internet Services Malicious-Malicious.Server

Internet Services Spam-Spamming.Server

Internet Services Proxy-Proxy.Server

Internet Services Tor-Exit.Node

Internet Services Tor-Relay.Node

Internet Services VPN-Anonymous.VPN
Labels:
496
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.